EMET Q&A

Following on from my earlier post on EMET, WDAG and the 1709 release on Windows, here is some Q&A on the topic.

Q: can I install EMET now that it is end of life?

This is a fair question. Using obsolete or unsupported software is very poor INFOSEC, so it’s probably no surprise that my general advice is not to use software that falls into that category.

In the past EMET has suffered from vulnerabilities, and there is no guarantee that it will not run up against new exploits in the future. You should at a minimum carry out a comprehensive review of new vulnerabilities, and probably combine a large deployment with a reputable pen test. Risk assess it to get the best answer for your particular situation.

Q: can EMET be uninstalled as a stop-gap measure?

Risk assess it! EMET can be uninstalled, and you might find that is a sensible strategy in the short term. Ensure any non-EMET systems are hardened using NCSC guidance, and enable some of the OS capabilities EMET automatically enables (such as DEP on an opt-out basis). Check binaries of applications, particularly those that process untrusted data and/or have network connectivity, to see if they make use of DEP, because even if you enable it binaries can opt out if they are not compatible.

There are lots of tools and scripting options to check binaries for ASLR, DEP and other capabilities on PE executables, and you should check these thoroughly. If you find binaries that do not support ASLR and DEP, consider your options and maybe switch to a competitor product.

This entry was posted in Uncategorised and tagged , , , , , , , . Bookmark the permalink.